GDPR compliance without cookie consent banners

Hi all. I have some questions on GDPR and privacy laws compliance when using Snowplow. I looked into the related discussions but could not quite find the information I need. It would be great if someone could answer the following questions:

  1. If we use Snowplow without cookies, how are events/actions tracked, and can we still perform funnels and retention analysis?
  2. If we self-host Snowplow and intend to be GDPR and other privacy laws compliant, do we have to get user consent on our website for enabling tracking?

Hi @Tapa,

It’s difficult for us to give you clear answers on either question, because the first depends on context, and the second is a question about the law, which we’re not likely to be able to speak about a forum of primarily engineers/analysts.

However I’ll try to give you as helpful an answer to each as I can:

  1. If we use Snowplow without cookies, how are events/actions tracked, and can we still perform funnels and retention analysis?

There’s a pretty thorough blog post which explains what the various anonymisation/cookieless features do, and how to use them.

The most restrictive of these options is to track users anonymously, with no cookies or IP addresses used. You can still perform funnels but it depends on what your analysis needs - for anything that requires you to identify any particular user over time, it can’t be done without some user identification, by definition.

So it’s hard to see how a retention analysis would work if you’re never collecting any means of identifying particular users.

However this is why there are many options to the feature - you must choose whichever approach best fits your requirements within the law.

  1. If we self-host Snowplow and intend to be GDPR and other privacy laws compliant, do we have to get user consent on our website for enabling tracking?

This is a question best directed at a lawyer. The GDPR bases for processing have nuances, and to answer this question one would need to be qualified to comment on whether or not your particular use case for collecting data can be interpreted as fitting one or the other legal definitions.

What we can say is that Snowplow at no point requires data to touch any servers hosted external to your own first party infrastructure. This is true of an Open-Source pipeline and also true of the Snowplow Insights product we manage (we set up the pipeline within the customer’s own infrastructure).

So in that sense, the data is all first-party, however again I’m speaking in technical terms here - as far as how the pipeline works that’s my understanding. I have absolutely no clue how that relates to the law. :slight_smile:

Apologies that I can’t be more specific here, I hope that all makes sense and is at least somewhat helpful for you.

1 Like

Hi @Colm ,

Thank-you for the detailed response. This is helpful. I’ll go over the blog post you shared again and try to determine the best approach for us.

Regards,
Tapa